chapter 6 cybercrimes. spam good marketing points? cheap highly effective pgp busa331 chapter 82
TRANSCRIPT
Chapter 6Cybercrimes
2
Spam
• Good marketing points?• Cheap• Highly effective
PgP BUSA331 Chapter 8
3
Spam
• Bad points?• Makes up 90% of U.S. e-mail!
PgP BUSA331
4
Spam Avoidance
• Never reply• Do not put email address on web site• Use alias email address in newsgroups• Do not readily give out email address• Use spam filter• Never buy from spam
PgP BUSA331
5
CAN-SPAM
• Controlling Assault of Non-Solicited Pornography and Marketing Act• Does not ban sending spam• Due to 1st Amendment, free speech
• Some states have more restrictive laws
PgP BUSA331
6
CAN-SPAM Requires
• Accurate email headers, valid return address• Opt-out procedures• Why not opt-in?
• Clear notice of opt-out• Compliance with opt-out within 10 days• Label commercial email as solicitation• Sender’s valid physical address• Warning labels on sexually oriented material
PgP BUSA331
7
CAN-SPAM Prohibits
• Misleading subject lines• Email address harvesting
PgP BUSA331
8
CAN-SPAM Enforcement
• FTC • AGs (Attorneys General)• ISPs• No private right of action
PgP BUSA331
9
CAN-SPAM Prosecutions
• Illinois, Florida, New York, California• Bottom line-has done little to impede the spam
onslaught
PgP BUSA331
10
State SPAM Laws
• Patchwork, non uniform• Jurisdictional questions• Opt-in requirements• Limited by first amendment issues
PgP BUSA331
11
Foreign SPAM Laws
• Main issue is enforcement
PgP BUSA331
12
Fighting SPAM
• FTC-Federal Trade Commission, truth in advertising laws• Trademark infringement • RICO-Racketeer Influenced and Corrupt
Organizations Act• Computer Fraud and Abuse Act, unauthorized
computer use to get email addresses
PgP BUSA331
13
Murking
• Bills vs Laws
PgP BUSA331
14
Mail Bombs
• Excessive email to overload server storage• Denial of service attack
PgP BUSA331
15
Permission Based Marketing• Legal, because requested• Opt-in• RSS feed sign up…
PgP BUSA331
Chapter 9Social Engineering and Identity Theft
17
Ultimate Goal
• Steal Passwords, Personally Identifiable Information- Your ‘Identity’• In order to profit• Internet enables this without physical contact
PgP BUSA331
18
Email Spoofing
• Forge email header• Appears email came from other than true sender• Why spoof?• Avoid identification under spam laws• Hide identity, avoid liability for illegal activity• Download Trojans to control computers• Obtain confidential information
PgP BUSA331
19
Phishing
• Use of official looking emails to trick people into revealing• Usernames• Passwords• Other Personally Identifiable Information
• Result- loss of confidence in web transactions
PgP BUSA331
20
Ice Phishing?
• No, but there is…• Personalized Phishing-target victim by name,
already have some info, hoping to get more• Spear Phishing-Pose as high level executive,
demand info• Effective against soldiers
• Whaling-Target high level executives• Lesson-think twice before clicking IM or email
hyperlink!
PgP BUSA331
21
Pharming
• Similar to phishing• Use web sites to obtain personal info• DNS exploits
PgP BUSA331
22
Identity Theft
• Goal-obtain key personal info• Falsely obtain goods & services• Sources• Database cracking• Social engineering• Pretexting• Survey
• Results-large $ loss• But credit cards safer on web
PgP BUSA331
23
Social Security Numbers
• de facto national identifier• Key to a person’s identity• SSNs can be found online in government records
PgP BUSA331
24
Personal Information Safeguard• Dumpster diving• Shred your garbage?
• Be mindful of https• Review credit reports• Do not reveal SSN unless a must• Wary of giving personal info• Overwrite old hard drives• Copy machine hard drives?
PgP BUSA331
25
Identity Theft Penalty Enhancement Act• Sounds good-mandatory jail time for possessing
identity info with intent of committing crime• Real issue-hold info handlers accountable for data
they collect
PgP BUSA331
26
CAAS?
• Have you heard of Software as a Service-SAAS? A hot new trend in technology• How about CAAS?• Crimeware as a Service
• Criminals Never Stop Innovating
PgP BUSA331
Chapter 10Cybercrimes Using Technology
28
Targets
• Computers (like yours!)• Internet Connection
PgP BUSA331
29
Terminology
• Beware-cybercrime terms (trojan, virus, malware…) often used interchangeably, but they are different
PgP BUSA331
30
Computer Cybercrime-Cookie Poisoning• Cookies-data to enhance web browsing experience• Cookie downside-tracking• Cookie poisoning-attacker modifies cookie• For protection, encrypt cookies
• Cookie Background at GRC
PgP BUSA331
31
Computer Cybercrime-Spyware• Tracks and forwards data without user consent• Uses computer for malicious purposes• Also slows performance, crashes computer• FTC investigates, has prosecuted under federal
computer privacy laws• Sears has used spyware on customers-oops• Steal user stock account login
• Sell portfolio• Manipulate stocks using account
• Avoid public computers, change passwords oftenPgP BUSA331
32
Computer Cybercrime-Drive-by Download• Program download without consent• Viewing web site or email
• Similar to spyware• Form of computer trespass• Avoid by using security software
PgP BUSA331
33
Computer Cybercrime-Malware• Virus-copies itself, infects computer• Worm-self replicating virus• Trojan horse-malicious program within harmless
program, like spyware-non-self-replicating• Used to take control
PgP BUSA331
34
Internet Connection Cybercrime-Wardriving• Using Wi-Fi laptop to map Wireless Access Points• Subsequent use of Internet connection is
telecommunications theft.
PgP BUSA331
35
Internet Connection Cybercrime-Piggy-backing• Using wireless internet connection without
permission• State laws vary• Countries vary
PgP BUSA331
36
Internet Connection Cybercrime-Issues• Others use your internet connection to commit
cybercrimes• Downloading child pornography
• Is a business liable for the unauthorized use of their unsecured wireless internet connection to commit a crime?• Courts not yet involved• Solution-secure / encrypt wireless access!
PgP BUSA331
37
What’s Next?
• Electromagnetic Keyboard Sniffing• Steal computer keypress/keystrokes from 65 feet away
wirelessly!• http://en.wikipedia.org/wiki/Keystroke_logging#Electro
magnetic_emissions
PgP BUSA331
Chapter 11Cybercrimes and Individuals
PgP BUSA331
Mule Scam
• Victim/mule (usually unknowingly) helps launder stolen online funds• Uses mule’s PayPal account to transfer defrauded
victim’s funds, • Mule paid commission from % of defrauded victim’s
funds• Defrauded victim contacts mule seeking funds back• eBay will require mule to pay innocent defrauded
victim
PgP BUSA331
Cyberstalking
• Using email, IM, blog… to harass victim• Also incite others against victim• Can be combined with real world stalking
PgP BUSA331
Corporate Cyberstalking
• Corporation stalking ex customer or ex employee• Or vice versa, but less likely
PgP BUSA331
Cyberstalking Law
• No federal law• State law varies• Harassment vs stalking• Harassment barred by 41 states
PgP BUSA331
Federal Statutes-Securities
• Spam, message boards and chat rooms used to hype stocks, trying to manipulate prices• Also violate state securities laws• SEC estimates 100 million stock spam messages per
week• IPO quiet time (90 day) can be violated by blog or
tweet
PgP BUSA331
USA PATRIOT Act
• Rushed response to 9/11 attacks• Amended many federal statutes• Civil liberty protections suffered• Lessened standard for government to intercept
electronic messages• Broad reach, beyond terrorists
PgP BUSA331
USA PATRIOT Act
• Subpoena of bank account and credit card numbers from ISPs• Request ISP to release customer info voluntarily• Danger in government labeling someone terrorist• Expansive search warrant powers• Secret ‘National Security Letters’ without court
order!• Declared unconstitutional in 2004
• FBI eavesdrops on computer traffic
PgP BUSA331
Online Gambling
• Est 2006 revenue-$12 billion• Est 2010 revenue-$25 billion-half from U.S.• State regulated• Internet issues- may be legal in other locations, but
not where bet is placed• Eight states outlaw online gambling• British online gambling execs arrested on U.S. soil
PgP BUSA331
Gambling Types
• Casino• Sports
PgP BUSA331
International Level
• No agreement, legal is some countries• Countries complain about U.S.• WTO declares U.S. out of compliance• Either let citizens gamble online• Or total ban (including lottery tickets)
PgP BUSA331
Wire Wager Act of 1961
• Prohibits use of wire transmission in interstate or foreign commerce of bets, wagers, information on them• Government must prove• Engaged in gambling• Interstate transmission of bets…• Used wire communication facility• Acted knowingly
PgP BUSA331
Unlawful Internet Gambling Enforcement Act-2006• Congress goes after money, not gamblers• Illegal to process gambling payments• But U.S. gamblers may use off-shore payment
processors
PgP BUSA331
Virtual Crime
• Online multiplayer environments• Habbo• Second Life
• Virtual goods, so virtual or actual theft?• Physical coercion to obtain virtual artifacts• Second Life does $1Million/day of commerce!• Will only get worse…